SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #50
November 04, 2005
TOP OF THE NEWSResearcher: Sony Music's DRM Software Amounts to Rootkit
Teen Cleared of Charges Because Denial-of-Service Attacks are Not Illegal Under UK's CMA
Ernst and Young: Compliance Drives IT Security Into the Boardroom
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
eBay Fraudster Sentenced to Four Years in Jail
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Cautions Users About Unofficial XP SP3
Cisco Releases Update for Heap Overflow Flaw in IOS
Proof-of-Concept Worm Targets Oracle Databases
PHP 4.4.1 Upgrade Fixes Security Holes
Apple Releases Mac OS X 10.4.3
ATTACKS & INTRUSIONS & DATA THEFT
SEC Files Charges Against Alleged Business Wire Data Thieves
S. Korea Policy Makers Release Biometric Data Collection Guidelines
Employers Should Provide Incentives for Developers to Create Secure Code
SEC Releases Tips for Safeguarding Personal Information and Money Online
Increasing Online Banking Also a Boon for Cyber Thieves
UK Government to Pay Mobile Phone Companies to Retain Data
**************** WHICH SECURITY TRANING ACTUALLY WORKS? *****************
"This is my first time at SANS but definitely not my last. An amazing experience. It was all I had hoped, yet better than I ever expected. I can't wait to return." Sean Wilkerson, USAID
"Valuable information that can be put to use right away at the office." Dustin Gregory, Seagate
"You can be a practicing professional or have all the certification, but you will always learn something new at SANS." Gordon Stuart, Wells Fargo Bank
"I truly appreciate the unbiased approach which also promotes a non adversarial and open learning environment. Great bang for the buck." Randall Pouliot, DoD
You can have these great instructors come to your site, study with them online, or join us in Baltimore or San Diego or Amsterdam or many other cities. Why wait?
TOP OF THE NEWS
Researcher: Sony Music's DRM Software Amounts to Rootkit (3/2/1 November 2005)A researcher has dubbed Sony Music's copy restriction measures on compact disks a "rootkit." The DRM protection on the CD only allows Windows users to play the tracks through a bundled version of Media Player. In addition to depositing code on the computer that limits the number of digital copies that can be made, the software also creates a hidden directory. When the researcher used a standard rootkit removal tool on the software, it rendered his CD drive inoperable. Deleting the cloaked files inflicts significant damage on the computer requiring a complete reformat and reinstall. Sony has said it will offer a patch that uncloaks the previously hidden files.
Teen Cleared of Charges Because Denial-of-Service Attacks are Not Illegal Under UK's CMA (3/2 November 2005)A UK teenager who had been accused of launching a denial-of-service (DoS) attack against his former employer has been cleared of charges because the wording of the Computer Misuse Act (CMA) does not make DoS attacks a crime. The unnamed youth was charged under section 3 of the CMA, which deals with unauthorized data modification and system tampering. His defense argued that the alleged flood of unsolicited email constituted neither unauthorized access nor modification because the purpose of the email server was to receive email messages. District Judge Kenneth Grant remarked that the "computer world has changed since the 1990 Act" but that the teen's acts were not illegal under the CMA. Peter Sommer, an expert witness for the defense, observed that the outcome of the trial highlights the need for reforms to be made to the CMA. Expert witness for the prosecution Paul Overton called DoS attacks a legal "gray area."
[Editor's Note (Hayler): The weaknesses of the current legislation have been discussed for several years now. An amendment bill has already been presented to Parliament and is due for a second reading in December:
Ernst and Young: Compliance Drives IT Security Into the Boardroom (2 November 2005)Ernst and Young's most recent global information security survey found that companies are spending a disproportionate share of their security budget on compliance with directives and regulations instead of on other security threats. The focus on compliance means that IT security has taken a place in the corporate boardroom; nearly two-thirds of those responding to the survey said compliance is the primary driver behind information security at their organizations. The study's findings suggest that companies are not paying adequate attention to security threats related to emerging technologies such as mobile computing, wireless and Internet telephony. In addition, companies may be giving insufficient attention to security issues surrounding suppliers and outsourcing partners.
[Editor's Note (Pescatore): I call this the "regulatory distraction" threat. Sarbanes Oxley has become a two edged sword. For security folks, it has become like Y2K was: a great justification to convince management to spend money on security solutions that they otherwise wouldn't fund. That can be a plus, but it has reached the point where every security vendor puts "compliance" into their product descriptions, and many auditors are simply driving tons of more reporting in the name of compliance. Compliant doesn't mean secure.
(Schultz): This is an extremely important finding. Although compliance helps put information security on the map, so to speak, at the same time controls implemented solely for the sake of compliance are often inappropriate in relationship to the security-related threats that individual organizations face. ]
*************************** SPONSORED LINK ******************************
ALERT: Most powerful content filtering solution - confirmed by
independent tests. Get the full report!
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
eBay Fraudster Sentenced to Four Years in Jail (2/1 November 2005)David Levi has been sentenced to four years in jail for masterminding a phishing scam that stole nearly 200,000 GBP (US$355,000) from eBay customers. Mr. Levi headed a group that included six other people who tricked eBay shoppers into disclosing their passwords and other account information. His conviction is believed to be the first in the UK for phishing fraud.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Cautions Users About Unofficial XP SP3 (3 November 2005)An unofficial version of Microsoft Service Pack 3 (SP3) for Windows XP available on the Internet could harm users' computers. The person who released the phony SP3 package says it is cobbled together from Microsoft hot fixes. Microsoft plans to release an official version of XP SP3 after the release of Windows Vista, which is expected to be shipped late next year.
[Editor's Note (Honan): A key difference between an official Service Pack and "bundling" hot fixes together is that Service Packs are more extensively tested than hotfixes. Installing unofficial software on systems is simply asking for trouble. ]
Cisco Releases Update for Heap Overflow Flaw in IOS (3 November 2005)Cisco has released a software update that fixes a serious heap overflow vulnerability in its Internetwork Operating System. The flaw could allow attackers to gain control of vulnerable Cisco routers and switches. The flaw made headlines in July, 2005 when a researcher exploited it in a demonstration at the Black Hat security conference. Users should update their Cisco devices as soon as possible.
Proof-of-Concept Worm Targets Oracle Databases (1 November 2005)A proof-of-concept worm that exploits default usernames and passwords in Oracle databases has been posted on the Internet. Once the malware is on a network, it scans for other Oracle databases. This particular version is not malicious, but it could easily be tweaked to make it dangerous. Oracle database users are urged to change default passwords on the databases.
PHP 4.4.1 Upgrade Fixes Security Holes (1 November 2005)Security flaws in PHP versions 4.4.0 and earlier could allow attackers to conduct cross-site scripting attacks, circumvent some security restrictions and potentially compromise systems. Users of the open source web development environment are urged to update to version 4.4.1. PHP 5.0.5 seems to be unaffected.
Apple Releases Mac OS X 10.4.3 (1 November 2005)Apple has updated Mac OS X to version 10.4.3; the update includes fixes for five security vulnerabilities in the operating system and bundled applications. One of the security flaws could be exploited to circumvent security restrictions. The update is available for Mac clients and Mac servers.
ATTACKS & INTRUSIONS & DATA THEFT
SEC Files Charges Against Alleged Business Wire Data Thieves (1 November 2005)The US Securities and Exchange Commission has filed charges against an Estonian financial services company and two of its employees for stealing confidential information from Business Wire web site and using to it make profits of at least US$7.8 million. The company allegedly became a Business Wire client to gain access to the secure client site; Business Wire distributes news releases and regulatory filings for companies. The defendants allegedly used a "spider" program to gather the data of other companies prior to public release and used information from more than 360 press releases before they were made public to conduct their illicit trading.
[Editor's seems like BusinessWire has culpability for maintaining an insecure "secure client site"? This is not much different than ChoicePoint allowing phony businesses to get access to credit records.
S. Korea Policy Makers Release Biometric Data Collection Guidelines (31 October 2005)South Korea's Ministry of Information and Communication has released guidelines describing how the government and other organizations may collect biometric data from individuals. Organizations must obtain permission to gather the data and must return or dispose of it as requested by individuals. Data on minors can be gathered only with the consent of their legal guardians. The guidelines will not be mandatory when they go into effect later this year, but some time later legislation is likely to follow.
Employers Should Provide Incentives for Developers to Create Secure Code Schmidt: Shared Responsibility Can Produce More Secure Code (3 November 2005)Software developers often work under a great deal of pressure to create code quickly; reviewing code for security holes can often be overlooked in this time-sensitive process. Howard Schmidt says that developers need to be accountable to their employers for writing good code and that the employers should provide the developers with the tools and incentives that will help them produce secure code. A developer's record for securely written software should be taken into account during performance reviews; employers could also offer financial incentives for those who create secure code. Developers also need to be trained in the practice of writing secure code and provided with the necessary tools to help them check their work. Employers should expect employees to take pride in their work and assume some responsibility for it; employees should expect employers to provide them with the tools and training that will help them write secure code.
SEC Releases Tips for Safeguarding Personal Information and Money Online (3 November 2005)The US Securities and Exchange Commission has released a guide for investors recommending steps they can take to protect their online brokerage accounts from data thieves. Among the SEC's recommendations are checking the sites' security certificates, using security tokens when available, not responding to email asking for personal data, using strong password practices and logging out completely from accounts.
Increasing Online Banking Also a Boon for Cyber Thieves (2 November 2005)USA Today conducted a four-month investigation into online banking and cyber crime. Over the past two years, financial institutions have made it easier for customers to conduct business over the Internet; while some may appreciate being able to make account transfers, pay bills and apply for credit online, this also makes it easier for thieves to steal money online. A major problem is that most institutions require only a user name and password to gain access to accounts. Bank of America plans to add log-on steps, making it the first major bank in the United States to deploy an additional layer of authentication. Links to related stories include information on measures to reduce the risks of banking online.
[Editor's Note (Schultz): Kudos go to Bank America for forging ahead with stronger authentication. Username-password-based authentication is badly outdated; those who continue using this weak authentication method will continue to reap the consequences.
(Paller): The Bank of America solution does not offer a significant increase in protection for consumers. Hackers can capture the images with a few lines of code in the trojans they have installed to capture the passwords. It is time for actual two-authentication in the US. Banks can do it with cell phones or even password lists they mail with the statements. And many consumers should be very worried about the banks' failure because banks are refusing to cover losses for businesses and so any consumer who runs a business from his or =her home could fall victim to the banks lack of care. ]
UK Government to Pay Mobile Phone Companies to Retain Data (2 November 2005)The UK government has reportedly budgeted six million GBP (US$10.6 million) to pay mobile phone companies to retain call records. The government presently has an agreement with one mobile operator to retain call data and is negotiating with others. European policy makers are being pressured by UK ministers to require communications service providers to retain mobile phone and Internet data as an anti-terrorist measure.
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit